1.2 Securing Directory Access

Make sure that you secure access to Identity Vaults and to Identity Manager objects.

Physical Security:
Protect access to the physical location of the servers where an Identity Vault is installed.

File System Access:
The security of the file system for Identity Manager is critical to ensuring the security of the system as a whole. Verify that the directories containing eDirectory, the Metadirectory engine, and the Remote Loader are accessible only to the appropriate administrators.

Password policy objects (and the iManager task for editing them), because they control which passwords are synchronized to each other, and which Password Self-Service options are used

1.2.1 Granting Task-Based Access to Drivers and Driver Sets

In addition to the eDirectory standard object-based access controls, Identity Manager lets you assign trustee rights to perform only certain tasks on an Identity Manager driver, rather than just granting full Supervisor rights to the driver object. For example, you can assign trustee rights so that one user can only configure the driver object (create and modify object properties), while another user can only start and stop the driver.

Setting trustee rights to these attributes grants access to the associated Identity Manager verbs and sub-verbs. Read access lets users view state (get verb state), and Write access lets users modify or change state (set verb state.) For example, granting Read access to a driver object’s DirXML-AccessRun attribute lets the user get the driver state (started or stopped.) Granting Write access lets the user set the driver state (change from started to stopped, or vice versa.)

The goal of providing this attribute-based access to driver tasks is to let you create well-defined administrative roles, perhaps using the eDirectory Administrative Role object, that let users perform certain management tasks without exposing all management functionality. Creating these roles can go beyond providing access to the DirXML-Access attributes described above and can include access rights to other attributes, as well as access to other Identity Manager objects. The following examples demonstrate the flexibility available for creating administrative roles:

Start/Stop Driver Admin:
This administrative role lets the assigned user start and stop all drivers in a given driver set. It requires the following access rights:

Browse rights to the Driver Set object

Read and Write access, with inheritance, to the DirXML-AccessRun attribute of the Driver Set object

Driver Admin:
This administrative role lets the assigned user manage a single Driver object. It requires the following access rights:

Browse and Create rights to the Driver object

Read and Write access to [All Attribute Rights] in the Driver object

NOTE:Make sure the rights are inherited so the driver Admin can also manage the driver’s policy objects.